Analysis of Trojan.Hydraq , aka "Aurora," against Internet Explorer

Very enlightening article, revealing of a common type of security thinking.

I hope everyone who read it picked up on #2 of the Seven Stages of the Attack:

Isn't this the same old stuff? If so, then why this statement:

The only reason for such a statement, it seems to me, is: That CEO depends on security that attempts to detect/identify/analyze the behavior of the malware executable as it begins its journey inside the computer, rather than security that looks at the malware executable at the gate and throws up a flag: "Hey, you aren't already installed on this computer, so you need Administrative Permission to come in."

Or similar such alerts, depending on the type of security in place.

Other after-the-fact thinking is illustrated by this statement in the article"

A pro-active security-minded person would say,

And there are many solutions that can apply here.

It's a monumental task, of course, because an organization is quite different, obviously, then a home system. Thousands of computers, versus one or a few on a local network.

But solutions are available, if the will on the part of Management is there, which I've already addressed in Post #7 above.

----
rich

 

Rich, just a question, I've used Zemana Anti-Logger before, and it's quite a sensitive program.

All this talk about the exploit being able to capture screenshots, keylogging, which in turn allows the attacker to log in 'legitimately' and access even more personal information, would a program like Zemana Anti-Logger alert the user that screenshot/keylogging was taking place? The user may then realise some form of clean-up is needed to remove a possible malicious file/exploit.

What I'm trying to work out is would Zemana, or programs like mamutu/threatfire alert a user before the exploit occurred, or would they only provide an alert while screenshot/keylogging were taking place?

Or would the exploit bypass all three programs mentioned above.

 

I wonder who this developer is. Is his identity a secret? But, if he didn't bother to explain his discoveries on how the exploit works and how it would get its payload running on the system without interference from anti-executables, then there's not much to go with here. All the reports I've seen from various security companies suggest the shellcode is just the usual download and execute type, and the downloaded malware executables do all the actual work. Nowhere have I seen anyone mention said malware executables, or the shellcode, using any sophisticated attacks to gain further privileges or bypass security software like anti-executables. The usual anti-virus disabling thing, for example, seems to depend on the exploited user running with admin rights. So I certainly agree with you on this, Rich.

 

Hello, Saraceno,

I'm not familiar with these programs, so I'm sorry that I cannot answer your question.

Regarding Anti-Keylogging programs: search for that topic on these forums. Last year some time there was a long thread on these products - I think aigle tested some.

If that thread is too old for a reply, you might start a new one on Anti-keyloggers with the question you have posed here.

----
rich

 

Rich, all ok.

I'll message Zemana - be interesting to see if products that advertise to stop logging, can prevent any logging that occurs with this exploit.

And I saw aigle's tests. He does a good job.

 

Yes, he is very thorough.

----
rich

 

Updated Investigation

In another thread, CloneRanger posted this article:

Report Details Hacks Targeting Google, Others
February 3, 2010
http://www.wired.com/threatlevel/2010/02/apt-hacks/#ixzz0eaRljStR

Here are some of the pertinent points that highlight and add to things I've mentioned in above posts:

This new cateogry of attacks is called: Advanced Persistent Threats (APT)

Sound familiar?

I note that Google is consulting with NSA. If you were advising Google (or other organizations), what would you suggest to prevent such attacks from succeeding?

----
rich

 

@ Rmus: just watching here...

Ya
AS you note very "after the fact" thinking

Uumm: Trust NO-ONE !!, duh, Text only e-mails ( pretty basic !!) ??, Sandboxing ??, Anti-Exe's ??
LOL, how'm I doing..That's what i have here and at office

LMAO: the hidden cost of the "paperless" office: what a flawed concept...

OOI, one of my regular sites:
Symantec's published report on the Chinese Google attack (which they cutely call 'Trojan.Hydraq') from 13 and 16 January makes interesting reading:
http://radsoft.net/security/20100201,00.shtml

Regards

 

@siljaline

Yes Stinger could help, but only after the event, good to know though. However the Trend Micro free BHO i posted about, supposedly provides active prevention against attacks.

Anybody installed/tested it ?

@Longboard

The radsoft link was also worth reading, along with the others in this thread.

 

Hi guys!

I find some of the technical discussion confusing. I am interested in understanding the basic architecture of this attack. I have written a summary of what I think happened. Could someone critique it so that we could see if we understand the basics of Aurora? I have put some questions and uncertainties in brackets.

How the Aurora Exploit Works​

1. Social Engineering to identify targets.

2. Social Engineering to identify persons in the targets’ social networks.

3. Construction of a poisoned email: its attachment seems innocent enough (presumably the email is in the name of a member of the target’s social network) but contains a piece of encrypted JavaScript that exploits a known but unpublicized flaw in the browser that allows it to open a connection to the hacker’s Stage I server. (How is the script decrypted?)

4. The JavaScript script (shell script) downloads from the Stage I server an encrypted program to a user directory and then decrypts it to another name in the same directory. It then executes that decrypted program.

5. This new program drops another program into a system file, also arranging for the deletion of the original program (covering its tracks; presumably both the encrypted and unencrypted versions of the original program would disappear).

6. The new program is injected into SVCHOST.EXE (how?), creating a new system process. Several Registry entries are altered.

7. The new program, a Trojan that enables full control of the target's computer through his desktop, attempts to communicate with a new Stage II IP using a non-standard custom-encrypted protocol (!). It brings in a keyboard and mouse logger. (Would the logger also transfer clipboard contents? Would it detect the contents or at least the use and name of a keyfile?) The Trojan also sends various pieces of information to the hacker that allows the hacker to tailor his methods to the particular case at hand. The Trojan alters more Registry entries. At this stage control has passed from an automated procedure using the Stage I server to human control at the Stage II IP.

8. The hacker does whatever he wants, normally downloading sensitive files in his own encrypted format to the Stage II IP. He also branches out to other members of the target's intranet, using stolen domain administrator credentials and server password hacks. He takes care to ensure the longevity of his hack even in the face of discovery (evolving exploit).

Question: Would encryption of the system disk (say by TrueCrypt) have any protective value? Would partial encryption—only of important emails, say, or source-code, sensitive documents and so on—whether by TrueCrypt or Microsoft’s product have any protective value? Would the keylogger be able to detect the encryption keys? Would it be able to detect the key files? Would the keylogger be used to hack into the target’s password manager?

Also, how certain that this is a Chinese attack? Is it possible that it is a false flag attack?

Thanks, wuthering

 

Re: Updated Investigation

A lot of what to do depends on the topology of the office, its machines, what they are used for, etc.. But, no matter what, one thing remains constant: obey the principle of least privilege -- take all possible rights away from everyone and allow only enough for them to do their jobs.

To start, I would say take administrative rights away from everyone in each office except for one competent admin. And then I would have the admin setup restrictive SRP/AppLocker policies for all the machines. That is if they decide to keep running Windows at all.

 

Whole disk encryption's only job is to protect the data on machines from prying eyes when the machine is powered off. By definition, whole disk encryption can't work when the machine is powered on.

Now partial encryption or file encryption would likely help protect the encrypted files as long as they were actually encrypted and not in use at the time of the attack.

It could likely do all those things.

Could be a false flag, it's extremely difficult to trace these things since anyone can use a botnet, etc. as the jumping off point. Perhaps the NSA has ways of doing retroactive traffic analysis that we aren't aware of, but short of them, I would wager it's impossible to trace (and I doubt even they can do it). However, I think it's a pretty fair bet that someone in China is responsible.

 

It seems so simple, doesn't it? Does an organization need NSA to figure this out?

The PDF exploit is also a puzzle, because a firewall that monitors outbound connections will stop this in its tracks, and certainly Google and others must have the latest, most sophisiticated Enterprise firewall, much less the lowly little Kerio. Here, blocking an unauthorized application, AcroReader, from connecting out to download malware:

​

Here, blocking spoofing svchost.exe by recognizing both an unauthorized Md5 Binary Signature and unauthorized file location:

​

As far as taking away Administrative rights, my guess is that most workplaces have become very loose, permitting employees to use company computers almost as a personal computer, with no restrictions on downloading/installing, depending on AV to take care of things.

The impression I got from discussing this with some System Administrators is that a very unhappy workforce would result from tight restrictions.

The two types of institutions I'm familiar with who do have such restrictions in place with no problems, are the Los Angeles Police Department, and several colleges and universities in my area. The hierarchal command structure in such institutions makes it easier to implement such polices, of course, but in any case, it is a command decision that has to start at the top: The CEO is the one who has to set the policies.

Such as:

1) The company computer is for work only.

2) All additional software/programs needed for work must be checked/approved by Technical Support, who will then install it.

Again, this is very restrictive, and would certainly result in many grumbles in the workplace if inacted retroactively!

But, it has been shown to be very effective.

The SRP/APPLocker/AntiExes types of security both Longboard and chronomatic mention would block the unexpected malware embedded in PDF or MSOffice Documents arriving as email attachments, another common delivery method in exploits against organizations:

​

It seems so simple, doesn't it?

----
rich

 

So we have some interesting news concerning where the Aurora attacks originated. It appears that the attacks have been traced from Taiwan to Shanghai Jiao Tong University and Lanxiang Vocational School, both in mainland China.

Shanghai Jiao Tong University's claim to fame is having won the latest international collegiate programming contest--as it often does.

Here is the article:

http://www.nytimes.com/2010/02/19/technology/19china.html?scp=1&sq=Shanghai%20Jiaotong%20University&st=cse

Money quote:

Within the computer security industry and the Obama administration, analysts differ over how to interpret the finding that the intrusions appear to come from schools instead of Chinese military installations or government agencies. Some analysts have privately circulated a document asserting that the vocational school is being used as camouflage for government operations. But other computer industry executives and former government officials said it was possible that the schools were cover for a “false flag” intelligence operation being run by a third country. Some have also speculated that the hacking could be a giant example of criminal industrial espionage, aimed at stealing intellectual property from American technology firms.​

However, one implication is that there is some possibility of doing retroactive traffic analysis as Chronomatic suggested might be the case.

Isn't anyone going to critique the architecture I laid out for the attack?

Thanks, all.

Wuthering

 

Hello Wuthering,


I read your architecture, and your scenario of how the malware intruded sounds plausible. I have no way of critiquing the rest of it since I don't analyze what malware does once installed.

For some analyses, see:

The Trojan.Hydraq Incident: Analysis of the Aurora 0-Day Exploit
http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit

You will see that vulnerability in IE permits the heap spray technique to force the attacker's shell code which uses urlmon.dll to download ad.jpg which is the malware executable. This is the exploit itself, which is easily blocked by a number of solutions.

This next one answers your question about the svchost.exe process:

Trojan.hydraq Exposed
http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html


Finally, what Trojan.hydraq does once installed and in place:

Trojan.Hydraq's Backdoor Capabilities
http://www.symantec.com/connect/blogs/trojanhydraqs-backdoor-capabilities

-rich

 

Thanks Rich.

I'm glad that my outline passes the smell test. Don't anyone think that I'm suggesting that I figured out how Aurora worked by myself! I was merely trying to see if I understood what I was reading.

I went through the three links you gave, Rich. I found the analysis of how the shell script worked valuable.

I still have a couple of questions:

1. Once the dropper program is loaded into the target's Documents and Settings folder, what prompts it to execute and decrypt itself into the same folder?

2. What prompts the decrypted dropper to execute?

3. Why don't the security analysts agree exactly what happened? One says that it's a buffer overflow exploit; another that it's a heap spray exploit. One (McAfee) says that the Trojan is injected into svchost; another (Symantec) says, no, it's the changes to the Registry that do it. Is the difference terminological or is there something deeper involved?

One remark. Many, including Symantec, emphasize the pedestrian technical nature of the exploit. Would it be possible to use 'reverse cultural engineering' to assess where the ultimate source might be? What I have in mind is that Americans might want to use something new and shiny and Apollo Moon Project quality for a professional gov't sponsored hack. Some other cultures (no names) might think that something crude and effective is perfectly adequate even for a professional gov't sponsored hack. Maybe it's possible to assess on stylistic grounds where the hack came from.

Best wishes,

Wuthering

 

I'm glad they were useful

I can't answer you specifically -- that type of analysis is not within my expertise. You might email the analysts at symantec and mcafee to see if they will elaborate!

I'm not sure of the technical differences. "Heap spray" has been recently used a lot. Check here:

http://stackoverflow.com/questions/...mong-heap-spraying-heap-overflow-heap-overrun

Again, I'm not really sure. You need to check with some "experts"!

I'm sorry I can't be of more help. I've never been that interested in learning to analyze what malware does once installed. I prefer to keep such stuff from getting onto the computer in the first place! It gives me the creeps to think of such stuff intruding, so I avoid thinking about it!

This would be very interesting if it could be done, since it's accepted by many that it's almost impossible to trace where an exploit was launched -- domain fakery being very easy to do.

regards,

-rich

 

Here's a little more on the origin of the attack:

http://www.ft.com/cms/s/0/4a6c8332-1f52-11df-9584-00144feab49a.html

I'm a little sceptical of the psychological analysis of the presumed hacker's personal psychological disposition--did they talk to him on the phone to ask him why he did it? I'm even a little sceptical they got the right guy. However, if they did get the right guy, there are some interesting issues in the abilities of the forensic guys.

However, the more important thing is the issue of what's a professional hack and what's not. While the presumed hacker is an expert he was content to make do with 'bits and pieces' he found lying around--to do what he had to do he didn't think it necessary to invent the most sophisticated software and trojan ever. And, again presumably, since his attack was successful, there is a lesson to be learned about crude but effective methods in the hacking wars.

There's also the issue--if they got the right guy, so what? What happens next? He's not going to get extradited.